- From: Deian Stefan <deian@cs.stanford.edu>
- Date: Mon, 16 Feb 2015 12:02:17 -0800
- To: Mike West <mkwst@google.com>
- Cc: "public-webappsec\@w3.org" <public-webappsec@w3.org>, Dan Veditz <dveditz@mozilla.com>, Brad Hill <hillbrad@gmail.com>, Wendy Seltzer <wseltzer@w3.org>, Brian Smith <brian@briansmith.org>
Great! Mike West <mkwst@google.com> writes: > Because I don't understand why ServiceWorkers have introduced > path-based granularity. As I noted in that thread (and as Brian > agreed), the origin makes sense as a security boundary. Pretending > that such a boundary exists for paths seems problematic. I suppose the one case where the path-based approach helps is the university scenario, where e.g. stanford.edu/~evil sets an overly-restricting CSP that ends up breaking *.stanford.edu. The right thing here is for the admin to disallow setting such headers, but I can see that becoming a problem. (But, I guess ~evil can already mess with cookies, etc.) In any case, I agree with sticking to the origin as the security boundary, I was more curious to see if you got any info from Alex or others on the path stuff off-list. Deian
Received on Monday, 16 February 2015 20:02:48 UTC